Rethinking Enterprise Risk Management

Today represents a watershed opportunity that your organization has been looking for! We finally have a definitive opportunity to initiate the transformation that’s needed for dealing with the range of challenges that we, as operational risk and Enterprise Risk Management (ERM) program managers have been needing to deal with. Why today? It’s because on this day the Securities and Exchange Commission (SEC) has released guidance on the handling of cybersecurity incidents and breach disclosures. To me, as an ERM program manager, this is the straw that breaks my camel’s back!

Commission Statement and Guidance on Public Company Cybersecurity Disclosures

Applicable: February 26, 2018

Here’s the 24 page .pdf document that you will want to see HERE.

The bottom line is that we want to underscore to our management on how we feel about getting ahead of the curve. We want to make sure that we’re on the side that is calling for a rethinking of ERM and changing the status quo. Make sense, so far?

But my story does not stop here. That’s because I want to share with you what I feel are the major challenges that so many of us are dealing with when it comes to managing operational risk, running an effective ERM program and dealing with the other problems that this article attempts to capture. If you’re like me, when you get to the end of my reasons for rethinking ERM, you’ll realize that “enough is enough”. It’s either that we sit back and “don’t rock the boat” or we step up to provide the leadership that’s needed to transform how we’re handling operational risk and what we need to do to get our management and peers thinking about what could be. In essence, I am using the SEC’s announcement today as a way to address cybersecurity disclosure guidance and extend this need to encompass all the other areas of risk management that face similar problems.

Cybersecurity is certainly on all our minds and yet we need the same type of disclosure controls and processes for disclosing a broad number of the risks that our global business should be prepared to alert shareholders to. Maybe this is the right time to bring these concerns forward and handle them, in parallel?

With ERM and operational risk, we have a need to:


Rethink / Reengineer - Rethink and then reengineer how we’re dealing with ERM. New processes and new systems are needed to enable us to move beyond the roadblocks that we face today. But, we can accomplish this in a way that makes good business sense and that actually creates strategic value, not erase it.


Transform Culture - We need to transform our risk management culture. “Cybersecurity convergence” is a great example of how we need to kick-start this business and workforce change. I sum it up by saying that we need to transform our Ways-of-Thinking and Ways-of-Working. This comes down to rebuilding new skills and competencies that make sense in today’s fast-paced business environment.


Transform Data and Information - We need to transform how we generate quality risk data that can be effectively used not only by all functional teams but also by multi-functional teams along with board members and C-suite executives.


Stamp Out Invented Math - We must move away from any risk assessment approaches or methodologies that are tied to ordinal-based ratings, scoring, or heat maps. In this day and age, we know that these use “invented math” and that these non-valid math techniques actually introduce errors into the process of risk management.


Introduce Proven Analytic Approaches – When it comes to managing how well we are employing or deploying proven analytic approaches for assessing risk, we’re not doing so well. The current movement towards Monte Carlo simulation is in its infancy and we think it’s a good step forward, but it has some major drawbacks as well. These techniques do not leverage the major proven econometric math approaches that are in mainstream use in the insurance, engineering and scientific industry segments such as regression analysis, Bayesian analysis, Loss Exceedance Curve modeling, Eigen Vector Eigen Value matrix math, ratio-based scalar measurement and other decision support techniques. 


Benchmark / Index - We need to benchmark ourselves against industry peers on how well we’re doing in managing these indicators:



Key Performance Questions (KPQ’s)


Key Performance Indicators (KPI’s)


Key Risk Indicators (KRI’s)


Key Control Indicators (KCI’s)


By understanding how well we’re doing in regard to “Peer Average” and “Best-in-Class” performance we can actually transform how we focus on Continual Process Improvement (CPI). Then, we need to understand how to deal with the CyberRankings 500 Indexing that is moving forward as a new industry standard.


BreakPoint ERM


BreakPoint™ is our name for the defining event (in business transformation theory) signaling a rapid business change that generates a disproportionate economic gain; and/or, the point at which the market responds disproportionately to a change in a KPI value parameter.


BreakPoint ERM™ represents the inflection point where a company understands why ERM needs to be reengineered. Here’s the argument that we need to bring the Board of Directors and C-suite executives…


Point # 1 –

Were you aware that operational risk has a disproportionately larger impact on a firm’s overall risk profile and reputational risk than any other risk category? If you are in agreement with this postulate, then you may also be open to the emerging strategy that progressive corporations are embracing where…


Point # 2 –

The enterprise risk profile is reengineered in parallel with the operational risk function so that they are in alignment.


Point # 3 –

The operational risk function is repositioned as the organization’s overall enterprise-wide risk umbrella in order to:



Raise awareness of the importance of the operational risk function.



To give the function the traction that it needs to lead the reengineering of the firm’s ERM program initiative.



To place the trust on the function to lead the business in driving systemic change in terms of new processes, management systems (such as managerial incentives) and the insertion of new technology to sustain business change.



Create and lead a new cultural revolution for transforming our understanding of risk as a defensive posture and repositioning it as an offensive one. This means that risk and cybersecurity practices become a sustainable competitive advantage if they’re handled properly. This is, quite frankly, a staggering revelation for most companies!


These are pretty radical ideas. But, they make sense when you understand just how problematic the threat of cybercrime and cyberwarfare are in our businesses. These threat factors create the inflection point that we as operational risk managers have been looking for to reinvent ERM.


Note that the above ideas have been brought to our organization by industry colleagues Daniel Mikkelsen, Senior Partner at McKinsey and Company, and Simon Wills Executive Director at ORX. We thank them for their significant contributions. I share their ideas and vision of a reinvented ERM because it fits so well with the present circumstances that businesses find themselves in, today.


The present-day events that now become a mission-critical part of our ERM reengineering strategy are as follows:



The NIST Cybersecurity Framework (CSF) has now superseded both COSO ERM and COBIT as the highest growth good practice framework to institutionalize cybersecurity processes and control practices.


The NIST Baldrige Cybersecurity Excellence Builder (BCEB) framework helps us to drive operational risk practices to new heights. The reason is that BCEB represents industry’s most condensed and concise body of knowledge around the concept that we heartily espouse called “Cybersecurity Convergence”. We use Cybersecurity Convergence as a measure of business and cultural change. Our CyberRankings 500™ intellectual property is an index which rates public companies on their ability to change the status quo and transform their culture to embrace the reinvention of ERM from a singular function to a holistic business opportunity (i.e. the offensive nature of using ERM as a sustainable competitive advantage).



Category: BreakPoint


Post new comment

The content of this field is kept private and will not be shown publicly.